API3Market

Off-Chain (Private)

Audited on 2024/02/27

No active critical issues

Summary

**Update**: The client has acknowledged all of the 11 findings. None of them pose severe security issues as long as the processes are correctly executed off-chain. However, user trust in off-chain entities is required. ---- The [contracts in scope](#scope) constitute the dAPI market of API3: - Through the `API3Market` contract, users can purchase subscriptions for data feed updates with specific configurations. - The `AirseekerRegistry` keeps track of the currently active subscriptions and the constraints under which Airseekers are supposed to update the data feeds. - The `HashRegistry` contains the Merkle roots of all allowed configurations managed by a set of signers. The code in scope is generally well-written and follows best practices. We have not found any significant security vulnerabilities. However, the code and its security heavily depend on correct and honest executing off-chain components, such as the `owner`, different sets of `signers`, and Airseekers. Furthermore, the out-of-scope `API3ServerV1` contract maintaining the data feeds interacts with the contracts in scope at several points. The security of that `API3ServerV1` contract, its interaction with the contracts in scope, and the off-chain entities were not assessed by Quantstamp.

Project

Api3

Issues (10)

	Low	Medium	High	Critical	Total
Not fixed	7	3	-	-	10
Fixed	-	-	-	-	0
Total	7	3	0	0	10

#	File Name
1	HashRegistry.sol
2	API3Market.sol
3	AirseekerRegistry.sol

#	File Name
1	HashRegistry.sol
2	API3Market.sol
3	AirseekerRegistry.sol

API3Market

Summary

Issues (10)

Attacker Can DoS Queue with Low-Quality Subscriptionsnot_fixed/medium

Reliance on Correctness of Merkle Tree Constructionnot_fixed/medium

Sponsor Wallet Owner Needs to Be Trustednot_fixed/medium

All Chains Must Be in Sync with Same Statenot_fixed/low

Critical Role Transfer Not Following Two-Step Patternnot_fixed/low

Contracts (3)